A former chairman of the U.S. Federal Communications Commission is asking policymakers to consider ways to improve mobile security as the nation moves toward fifth-generation, or 5G, networks.
One suggestion: launching a new program to inspect and certify 5G devices for secure operations, much like the agency certifies devices using radio spectrum to ensure they don’t interfere with other signals. That was floated in a recent paper by Tom Wheeler, who served as FCC chairman during the Obama administration and is now a visiting fellow at the Brookings Institution, and David Simpson, the former chief of the FCC’s Public Safety and Homeland Security Bureau.
The federal government should also institute a rewards-based program to encourage companies to improve cybersecurity, the paper says, and it should consider new rules that require mobile devices to include labels that explain their cybersecurity risks to consumers.
Because 5G will be more software based than previous hardware-powered networks, cybersecurity will become increasingly important, Wheeler and Simpson write. While many are focused on the race to be the first country with widely deployed 5G, cybersecurity shouldn’t be ignored, they warn, and it should not come at the expense of cybersecurity.
With 5G networks, “future upgrades will be software updates much like the current upgrades to your smartphone,” they add. “Because of the cyber vulnerabilities of software, the tougher part of the real 5G ‘race’ is to retool how we secure the most important network of the 21st century and the ecosystem of devices and applications that sprout from that network.”
While President Trump’s administration has focused on keeping Chinese telecom vendors out of the U.S. market, 5G security considerations go deeper.
“Policy leaders should be conducting a more balanced risk assessment, with a broader focus on vulnerabilities, threat probabilities, and impact drivers of the cyber risk equation,” they add. “This should be followed by an honest evaluation of the oversight necessary to assure that the promise of 5G is not overcome by cyber vulnerabilities, which result from hasty deployments that fail to sufficiently invest in cyber risk mitigation.”
The paper doesn’t provide detailed recommendations for new policies or regulations, instead focusing on raising awareness about potential security risks for 5G.
The proposals are appropriate, considering the security risks of a 5G network, said Gabe Turner, a lawyer and director of content and device security reviews site Security Baron.
“Manufacturers must put cybersecurity features into the original designs of the products, not as an afterthought as it often is now,” he said. “It’s completely appropriate that the federal government should have a say in how companies protect consumer data.”
The federal government should mandate that mobile devices have “reasonable” cybersecurity features, such as two-factor authentication, built in, he recommended. The reasonable security provision is inspired by a California “internet of things” law passed in 2018.
Other security experts weren’t sure if government regulation is the right direction.
“Security is always a moving target, so while the paper lays out some foundations, it requires all stakeholders to be involved to keep up with the security threats,” said Marty Puranik, president and CEO of Atlantic.net, a security-focused web hosting firm. “The challenge becomes new types of threats that can’t be imagined today, and protecting against them for tomorrow.”
There needs to be discussion over who leads the 5G security charge, whether it is a consumer protection agency, an industry association, or some other group, he said.
Meanwhile, the paper seems to assign too much responsibility for 5G security to the network carriers, said Stewart Kantor, president and CFO of Ondas Networks.
“Cyber threats and vulnerabilities are not unique to the wireless carriers and their air interface protocol,” he said. “These threats and security vulnerabilities are rampant today and are a result of the ubiquity and efficacy of internet protocol and internet protocol-enabled devices.”
Many of these connected devices, “without the proper security protocols, are vulnerable from almost any bad actor on earth,” Kantor added.
Cybersecurity, instead, should be a shared responsibility of the carriers, hardware makers, application developers, end users, and others, he suggested. Kantor called on the government to focus on creating best practices, with cybersecurity regulations in “certain instances” for critical industries.
